Keyword Search

Authors

Date Range

Categories

Keeping Them Out of Your Vault: Network Segmentation in the Cloud

Is it the initial compromise, possibly due to unpatched vulnerabilities? Or, is it the exfiltration of valuable data – when a compromise becomes a breach and potentially a headline in the news cycle?

Semantics aside, there’s another, often ignored aspect in the evolution from compromise to breach, one with the potential to determine the magnitude of a cyberattack; lateral movement. For the purposes of this article, lateral movement refers to unauthorized movement between connected systems within a cloud environment. If unchecked, it can spell the difference between annoyance and outright panic for an organization.

Preventing Lateral Movement in the Cloud

Active monitoring of your environment helps, especially if you can catch threat actors as close to the initial compromise as possible. There’s even a useful metric to determine the efficiency of compromise call dwell time. That’s all well and good, but doesn’t address the core facilitator of lateral movement, improperly configured – or non-existent – network segmentation of a cloud environment.

Think of it this way: A bank branch can set up robust security processes to monitor customer access and movement. However, if they leave the vault unlocked and easily accessible from the lobby, it only takes one slip up before someone strolls out of the branch with cartoonishly large bags of money.

I can only imagine that post-incident, the first question from the police would be along the lines of “why didn’t you close the vault?” It’s along the same line of questioning for business denizens in the cloud, which would be: “why isn’t your ‘vault,’ the area of your most valuable data, protected from unauthorized access?”

The Importance of Network Segmentation

Another, and more direct, way to frame this question is, “why isn’t your cloud environment segmented?”

Understandably, there is a multitude of reasons for why an organization might not adhere to network segmentation best practices – many of which are tied to the challenges and frustrations of cloud migration. It’s easy for network segmentation to slip on the priority list when you’re still wrapping your head around the shift from on-premises to cloud resources. However, as we’ve hopefully made painfully clear, it can’t be ignored when orienting the security and control of a cloud environment.

Considering the differences and similarities is the first step to knowing how to implement them– both of which we cover below.

How Network Segmentation is Different in the Cloud

When implementing network segmentation for traditional networks, firewalls are the essential technology. Most segmented networks utilize redundant external firewalls that strictly regulate traffic via firewall rules. Within the network, there are internal segmented firewalls (ISFWs) and ACLs (Access Control Lists) that control which users can gain access to particular network segments. Physical appliances such as external firewalls, internal routers, and switches are also critical.

Network segmentation in the cloud operates on similar principals but necessitates a different method of implementation. Many cloud infrastructures rely on software-defined networking (SDN). With the SDN approach, network access is controlled via software applications such as OpenFlow, which works in conjunction with virtualized firewalls.

In a traditional structure, physical routers and switches would carry out these same functions.

But despite the different infrastructure, the basics of network segmentation remain the same. Within the cloud—and all virtual appliances that are part of the network—users should implement ISFWs between different network segments. Experts recommend installing ISFWs between different trust zones within the network. So if a network segment (such as a particular application) requires a different trust level than another segment, an ISFW should be implemented between the two. This allows organizations to grant access to users as needed without the risks of a fully open network.

Best Practices for Network Segmentation

There are many best practices to keep in mind when implementing network segmentation in the cloud, these include:

Understand the SDN methods utilized by your cloud provider, as well as the method utilized by any outside cloud-based applications. Their methods will determine your segmentation requirements.

Familiarize yourself with the network segmentation tools offered by your cloud provider. AWS, Azure, and other reputable cloud providers offer users a range of segmentation features. AWS, for example, allows users to create subnets, which are sub-networks within the larger virtual cloud. Subnets may be set to public, private, or protected.

While we talk of the cloud, that term is somewhat misleading. In some cases, it may be beneficial to host particular data and applications on separate Virtual Private Clouds (VPC). AWS allows users to create multiple VPCs from the same account.

Make use of tools that allow you to control network traffic. Most virtualization platforms provide specialized tools that allow management and production traffic to be segmented.

You can also utilize switch-based network segmentation in the cloud. There are different ways to deploy VLAN tags in order to segment your network. Private VLANs (PVLANs) can also be deployed in certain circumstances.

Don’t overlook higher-level segmentation: segmentation that regulates which IP addresses can access network segments. There are many tools available to do this, including firewall rule sets and load balancers.

Taking Network Segmentation Seriously

These best practices, as well as a firm understanding of network segmentation in the cloud, is the best way to avoid an uncomfortable situation where a post-breach auditor asks why you didn’t prevent lateral movement by at least “locking the vault.”

Related Blog Posts

Mar 82018

A Girl & Her Games: Looking Back on Computer Engineering

Women make up only 29% of the science and engineering workforce, with only 10.7% focusing their careers in electrical or computer hardware engineering, according to the National Science Board’s “Science and Engineering Indicators 2016” report. Studying these statistics, it got me thinking… what was my first interaction with technology and programming? One weekend my Brownie® (girl scouts […]

Holly Dale

Security Operations Center Director

Holly Dale’s two decades in cybersecurity has led her to become the SOC Director at Armor. Prior to Armor, Holly held positions contracted to Oncor Energy and National Nuclear Security Administration under the Department of Energy (NNSA/DOE), including Information System Security Officer (ISSO) cyber security Subject Matter Expert (SME), Senior Security Analyst, Sr. Forensic Investigator, and Sr. Incident Responder. Holly was a founding member of NNSA's Information Assurance Response Center (IARC), as well as a member of the Secret Services's Las Vegas Electronic Crimes Task Force (LV-ECTF) and the FBI-led Nevada Cyber Crimes Task Force (NCCTF), working with numerous city, county, state and federal agencies in each task force.

Post Tags

The first two stops on our roadshow are next week! We will be in Dallas on the 26th and Houston on the 28th. Register now to reserve your spot. You won't want to miss it! #compliance #cloud #AWS https://t.co/mzIFnPUAib

More than 80% of SMEs are planning to boost their security budget by 14% over the next year, while 89% say they've enhanced their security staff, appointing roles such as CISO, CSO and VP of infosecurity. Read more in this report by Armor and @451Research. https://t.co/Tcl7i0lLjf

Armor exists to protect. Each employee feels our passion, knows the vision and lives the company values. Diversity is key. Every role is important to Armor’s success. We volunteer our best every day and go to any length to ensure our customers are protected.